3 Jul 2026
Signal Headquarters
Vol. I
No. 85
Signal
· · 3 min read

Chinese criminal networks appear to share laundering infrastructure across cartels, North Korea, and pig butchering operations

Ari Redbord has identified a pattern in blockchain data that, if accurate, reframes how the West thinks about transnational financial crime. The same wallet addresses, he argues, are appearing across three distinct criminal categories. That is not coincidence. That is consolidation.

Ari Redbord has put a specific and consequential claim on the record: the same wallet addresses appear across cartel activity, North Korean hacks, and pig butchering fraud networks. The implication is not that these criminal categories occasionally overlap. The implication is that a consolidated laundering infrastructure serves all three at once.

The claim rests on on-chain evidence. Blockchain ledgers are public and permanent, which means wallet addresses can be traced across transactions over time. When an address appears in connection with a cartel payment, then in the proceeds of a state-sponsored theft, then in the layering stage of a romance fraud operation, the parsimonious explanation is not coincidence across unrelated actors. It is shared infrastructure, shared service, or shared network. Redbord draws the inference plainly: these are addresses associated with Chinese money laundering networks operating across all three threat categories simultaneously.

Each of the three categories on its own represents a significant law enforcement priority. Cartel proceeds from drug trafficking into the United States run into the hundreds of billions of dollars annually by most government estimates, and the question of how those proceeds get cleaned has driven decades of financial crime enforcement. North Korean state-sponsored hacking operations have targeted cryptocurrency exchanges and financial institutions with increasing sophistication, using the proceeds to fund weapons programs under international sanctions. Pig butchering, a fraud typology in which victims are cultivated over weeks or months before being lured into fake investment platforms, has extracted billions from victims across the United States, Europe, and Southeast Asia, with much of the operation centered in compounds in Myanmar, Cambodia, and other parts of the region. These three streams of criminal finance have traditionally been analyzed in their own institutional lanes, by different agencies, using different investigative frameworks.

If you look on chain at cartel activity, North Korea hacks, and these pig butchering networks, you see wallet addresses that are being used in all three of those laundering typologies or or or or or th- those threat categories, that that that we associate with Chinese money laundering networks. Ari Redbord

What Redbord’s observation suggests is that the laundering layer does not respect those lanes. If a single network of wallet addresses is processing proceeds for cartels, state actors, and fraud syndicates in parallel, then the entity operating that infrastructure has achieved something close to a criminal utility. It is agnostic about the upstream source of funds. It takes in proceeds from whichever criminal enterprise is paying and moves them through the same channels regardless of origin.

That matters for enforcement strategy. Most financial crime investigations follow a specific thread: trace the money from a known criminal act to a known account, identify the beneficiary, and build a case around the chain. If the laundering layer is shared across multiple unrelated criminal enterprises, that thread becomes harder to isolate. Disrupting a cartel’s financial network may require engaging the same infrastructure that is simultaneously serving a sanctioned nation-state, which raises jurisdictional, diplomatic, and operational complications that single-thread investigations do not.

It also matters for the regulatory picture around cryptocurrency more broadly. The argument that cryptocurrency enables criminal finance has long been met with the counterargument that blockchain transparency makes illicit flows easier to trace than cash. Both points are true, but Redbord’s claim adds a third dimension: the traceability of the ledger is only as useful as the analytical capacity to act on what it reveals. Seeing that three threat categories share wallet addresses is a finding. Translating that finding into enforcement action against a network that spans cartel jurisdictions, North Korean state actors, and Southeast Asian fraud compounds is a different order of problem entirely.

None of this has been independently confirmed by a second source here. Redbord is making a claim about what the on-chain data shows, and the strength of that claim depends on the quality of the clustering and attribution methods underlying it. Blockchain analytics is a field where methodology matters enormously, and attribution of wallet addresses to specific actors or networks involves inference as well as direct evidence. What can be said is that if the pattern Redbord describes holds up to scrutiny, the enforcement and policy implications are substantial enough to warrant treating it as a serious analytical proposition rather than a provocative edge case.

The Editor, for the readers of Signal Headquarters

From the Archive